[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: md5sum passwords

> A mixed solution may be possible, supplying DES (from both a US and a
> non-US site) to those who require YP support.  I'm still not in favor
> of Debian doing this alone in the Linux community, though.

<sigh>Yep, another "me too" reply...</sigh>

I see quite often, like here at McGill University, what you get quite
often are mixtures of older machines (suns, sgi, etc) and a few people
running linux boxes and wanting to network. Try telling people that
you can't interoperate a linux box on the net, and you seriously
damage linux's credibility.

Also, when it comes to the fixed vs. variable length password issue, I
think compatability should be the key focus, not security. Why? Well,
at an 8 character limit, if we use upper/lower case letters, numbers,
and just a few symbols, we get at *least* 64 possible characters per
password position -> at *least* 6 bits of entropy per character ->
at least 48 bits per password. That's plenty for most installations.

Longer passwords, while they may preclude compatablility with other
systems, are no excuse for not choosing good passwords: "I love
Francesca" may have more than 8 characters, but it certainly is not
more secure than "R8#cjs;)". There are plenty of references on how to
pick good passwords in 8 characters.

Just my 0.02$,
-Andrew. <adfernan@cnd.mcgill.ca>

Reply to: